On May 7, 2026, Microsoft published " When Prompts Become Shells: RCE vulnerabilities in AI agent frameworks " — a retrospective on two Critical (9.9) CVEs in Semantic Kernel that landed in February and were patched within days. The CVEs are bad. The framing is worse — and worth reading carefully. The two CVEs CVE-2026-26030 — eval() on attacker-controlled filter strings InMemoryVectorStore accepts user-supplied filter expressions and evaluates them. Filter strings are interpolated into a Python expression and executed via eval() : expr = f "' or { user_filter } or '" result = eval ( expr , { " __builtins__ " : {}}, {}) Enter fullscreen mode Exit fullscreen mode An AST blocklist exists. It enumerates dangerous node types: Import , Call to known names, attribute access on a denylist. The blocklist was bypassable through undocumented attribute traversal — __name__ , load_module , BuiltinImporter — none of which the filter explicitly denied.…